I've been fooling around with metasploit and successfully exploited a WinXP machine with the vncinject/bind_tcp payload. Now i run the same exploit on another machine. Everything goes well but then it sais: "Session is running in the background". Now when i do sessions -i ID it get the message it's not interactive.So i close the first VNC window and try the same exploit on the first pc again. Still starts in the background........ How do i get it UP!?

Do i have to connect to loopback:port something? set autonvc to 0?(I'm not able to test this atm....)

Thx!

ps. Great site!

Last edited by jonas on Tue Jun 16, 2009 2:44 pm, edited 1 time in total.

well to my little understanding...if u use vncinject payload, it will give u access to operate on the target machine in GUI mode. but in some instances, it will complete the dll inject and give u full access and control, and in some instances it will not and only give u the shell (cmd) which u will ave to operate on.

i guess it is only returning the shell to you in your situation which is not bad as well, another thing i noticed about using vncinject is anytime u connect to the target machine, it automatically opens a cmd on the target machine...which can give the admin a clue that something is going on and anything you type/input in the shell at your end will be seen by the target machine user....i dont really like vnc though but i think you were not given the full access to visually control the target.

Yes. I get the VNC full access windows and i can control the computer remotely with the GUI interface. But it only works the first time. Everything after that it all starts in "background" even if im running the exploit on another machine.

But i can't figure out where do bring it up from "running in background" to interact with it.

I am not entirely sure what's happening here. I think that I need a bit more information. What exploit are you running, what are the settings when you run the exploit?

My guess is that you are specifying the same local port both times you run the exploit. If the first connection is still active, I believe the local port will be in use. You can try to specify another local port each time you run the exploit with the vnc payload.

Try running netstat -an (on windows) or netstat -ant (on nix). See what ports are listening each time you run the exploit.

the RHOST will be the same, the LHOST is also the same coz it is your attacking machine, the one u are on, but if you already have an established connection to the target and do not exit it properly, it may still be open in an underground/hidden mode, trying to connect back to the target by running the exploit again might get bounced and tell you there is an established connection, so you will have to change the LPORT which is the port the target will reverse connection back to your attacking machine.

If you launched VNC on the destination machine, the first time, assuming you didn't close it, the VNC listener should still be listening on the 5900 port. Try using a VNC client to connect to that port, on the target machine.

If the initial ports are left open, from your injection of the DLL, then no, you won't be able to re-use the same ports, until both your machine and target get rebooted. IF you change both RPORT and LPORT to fresh, unused ports, the same attack might allow you in, again. Note, though, that many attacks will fail if attempted a second time against the same service on the target, if the target PC has not been rebooted, yet...

Ketchup's response will tell you, though, if the previous port combinations are still in use. But they might not tell you if the service you previously exploited is still in an 'exploitable' state, or if the service needs a restart.

HTH.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'